All Collections
Admin Dashboard
Hybrid Cloud
Hybrid Cloud: Setting up AWS CloudFront
Hybrid Cloud: Setting up AWS CloudFront

Learn how to set up AWS CloudFront for Hybrid Cloud

Peter Francis avatar
Written by Peter Francis
Updated over a week ago

Before working on these steps, please be sure you've set up the AWS S3.

Xembly uses CloudFront as a content delivery network (CDN) to ensure low latency for streaming video content. We also use CloudFront to sign our streaming URLs for greater security.

  • Go to the CloudFront Service in AWS and click Create Distribution. This will open a new page

Configure the fields below as follows:

  • Use the S3 bucket created earlier as the origin domain

  • Origin access should be "Origin access control settings (recommended - this ensures the URLs are signed)"

    • If you don't have any Origin access controls yet press the Create control setting button or select from the dropdown list an existing one

  • For default cache behavior, leave Path pattern as "Default (*)"

  • Compress objects automatically - "No"

  • Viewer protocol policy should be "HTTPS only"

  • Allowed HTTP methods - "GET, HEAD, OPTIONS"

  • Restrict viewer access - "No” (for now, we’ll change this later)

  • Cache policy - "CachingOptimizedForUncompressedObjects"

  • In Additional settings set Smooth streaming to "Yes"

  • WAF, edge location, custom domain name/SSL cert settings - we don't require them, use your own corporate preferences.

When done with all the previous steps:

  • Click Create Distribution. You will see a yellow banner up top that says, "The S3 bucket policy needs to be updated"

  • Click Copy Policy and save the policy somewhere. We will need it for a later step

Creating Signing Keys

Since CloudFront is also used for signed URLs, you need to create a signing key and set up a trusted key group with this key in CloudFront (this allows you to rotate keys without temporarily losing access).

Pro Tip: You will need the private key in the Xembly Admin Dashboard so please save this somewhere for quick access.

  • Copy and paste the public key into the "Key field" and click Create Public Key.

Pro Tip: You will need the public key ID in the Xembly Admin Dashboard so please copy that information somewhere after you create it.

Next, we’ll need to create a Key Group. This will give you the ability to create and rotate new keys without temporarily disrupting service (you can add the new key while the old one is still active and only delete the old one when everything is configured).

  • On the left navigation click Key Groups and Create Key Group

  • Name the key group and select the public key we created before

Once we have our key group:

  • Go back to the distributions

  • Click the distribution we created earlier

  • Click Behaviors, select the current behavior

  • Click Edit

  • From the edit screen, we want to change Restrict Viewer Access to Yes

  • Keep the Trusted key groups selection and select the key group we previously created

  • Click Save Changes

Thumbnail Support

The last step is adding another behavior with slightly different settings for showing thumbnails.

  • Open your distribution

  • Click on the Behaviors tab

  • Click the Create Behavior button

Use the following settings:

  • Put "/thumbnails/*" in the Path pattern

  • Select your S3 bucket in the Origin and origin groups

  • Compress objects automatically - "No"

  • Viewer protocol policy - "HTTPS only"

  • Allowed HTTP methods - "GET, HEAD, OPTIONS"

  • Restrict viewer access - leave as "No" (note we use thumbnails in emails so they need to be public - this data is considered safe for unsigned URLs)

  • Cache policy - "CachingOptimizedForUncompressedObjects"

  • Click Create Behavior

  • Once you’ve done all this click back into the distribution and capture the distribution domain name.

Pro Tip: Save off the distribution domain name. We’ll need it later in the Xembly Admin Dashboard.

Setting the S3 Bucket Policy

Remember earlier that we generated a bucket policy as part of our Cloudfront distribution setup.

  • Go back to S3

  • Click on the bucket we created

  • Click Permissions

  • Click Edit under "Bucket Policy"

  • Copy and paste the policy we saved and click Save Changes

Using AWS KMS

If you choose to use your own managed keys via KMS for encrypting the S3 bucket, there is some extra configuration required on the key policy to allow the IAM user we created and Cloudfront to use the keys

Follow these steps:

  • Open the KMS console in AWS

  • Click on the key you are using

  • Click Edit on the Key Policy

From there you’ll need to add the following two policy statements:

"Statement": [

{

"Sid": "Allow use of the key for app-xembly-user",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::<YOUR IAM XEMBLY USER ARN>"

},

"Action": [

"kms:Decrypt",

"kms:Encrypt",

"kms:GenerateDataKey*"

],

"Resource": "*"

},

{

"Sid": "AllowCloudFrontServicePrincipalSSE-KMS",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::<YOUR AWS ACCOUNT ID>:root",

"Service": "cloudfront.amazonaws.com"

},

"Action": [

"kms:Decrypt",

"kms:Encrypt",

"kms:GenerateDataKey*"

],

"Resource": "*",

"Condition": {

"StringEquals": {

"AWS:SourceArn": "arn:aws:cloudfront::<YOUR XEMBLY CLOUDFRONT DISTRIBUTION ARN"

}

}

}

]

More information can be found here.

Learn how to set up the Xembly Admin Panel with all the information you've saved to finish setting up Hybrid Cloud.

Did this answer your question?